patch: libXt-1.0.8 fix possible array overflow

walter harms wharms at bfs.de
Thu Sep 23 11:37:37 PDT 2010



Pat Kane schrieb:
> In the original code if 'i' is equal to 10 then the line
>    (void) memmove((char*)par, (char*)params, i * sizeof(String) );
> moves ten things, which is okay.
> 
> The next line:
>    bzero( &par[i], (10-i) * sizeof(String) );
> moves zero things to a bad address, which is probably okay,
> but I bet some code checker would complain.
> 
> The code is very ugly.
> 

yes,
i can fix that too but i still feel that
i=10
bzero( &par[i], (10-i) * sizeof(String) );

setting the limit to i=9 would fix that.

most maintainers prefer 1 fix 1 patch, i can send a revisited patch

re,
 wh



More information about the xorg mailing list